Changeset 71280 in webkit
- Timestamp:
- Nov 3, 2010 4:41:09 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r71272 r71280 1 2010-11-03 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Gavin Barraclough. 4 5 Crash in Function.prototype.call.apply 6 https://bugs.webkit.org/show_bug.cgi?id=48485 7 8 The problem here was op_load_varargs failing to ensure that 9 there was sufficient space for the entire callframe prior to 10 op_call_varargs. This meant that when we then re-entered the 11 VM it was possible to stomp over an earlier portion of the 12 stack, so causing sub-optimal behaviour. 13 14 * bytecode/Opcode.h: 15 * bytecompiler/BytecodeGenerator.cpp: 16 (JSC::BytecodeGenerator::emitLoadVarargs): 17 * bytecompiler/BytecodeGenerator.h: 18 * bytecompiler/NodesCodegen.cpp: 19 (JSC::ApplyFunctionCallDotNode::emitBytecode): 20 * jit/JIT.cpp: 21 (JSC::JIT::privateCompile): 22 * jit/JITOpcodes.cpp: 23 (JSC::JIT::emit_op_load_varargs): 24 1 25 2010-11-03 Kenneth Russell <kbr@google.com> 2 26 -
trunk/JavaScriptCore/bytecode/Opcode.h
r69940 r71280 163 163 macro(op_call_eval, 4) \ 164 164 macro(op_call_varargs, 4) \ 165 macro(op_load_varargs, 3) \165 macro(op_load_varargs, 4) \ 166 166 macro(op_tear_off_activation, 3) \ 167 167 macro(op_tear_off_arguments, 2) \ -
trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
r70496 r71280 1675 1675 } 1676 1676 1677 RegisterID* BytecodeGenerator::emitLoadVarargs(RegisterID* argCountDst, RegisterID* arguments)1677 RegisterID* BytecodeGenerator::emitLoadVarargs(RegisterID* argCountDst, RegisterID* thisRegister, RegisterID* arguments) 1678 1678 { 1679 1679 ASSERT(argCountDst->index() < arguments->index()); … … 1681 1681 instructions().append(argCountDst->index()); 1682 1682 instructions().append(arguments->index()); 1683 instructions().append(thisRegister->index() + RegisterFile::CallFrameHeaderSize); // initial registerOffset 1683 1684 return argCountDst; 1684 1685 } -
trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.h
r69940 r71280 351 351 RegisterID* emitCallEval(RegisterID* dst, RegisterID* func, CallArguments&, unsigned divot, unsigned startOffset, unsigned endOffset); 352 352 RegisterID* emitCallVarargs(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* argCount, unsigned divot, unsigned startOffset, unsigned endOffset); 353 RegisterID* emitLoadVarargs(RegisterID* argCountDst, RegisterID* args);353 RegisterID* emitLoadVarargs(RegisterID* argCountDst, RegisterID* thisRegister, RegisterID* args); 354 354 355 355 RegisterID* emitReturn(RegisterID* src); -
trunk/JavaScriptCore/bytecompiler/NodesCodegen.cpp
r70496 r71280 537 537 generator.emitNode(args->m_expr); 538 538 539 generator.emitLoadVarargs(argsCountRegister.get(), argsRegister.get());539 generator.emitLoadVarargs(argsCountRegister.get(), thisRegister.get(), argsRegister.get()); 540 540 generator.emitCallVarargs(finalDestinationOrIgnored.get(), realFunction.get(), thisRegister.get(), argsCountRegister.get(), divot(), startOffset(), endOffset()); 541 541 } -
trunk/JavaScriptCore/jit/JIT.cpp
r70111 r71280 478 478 479 479 addPtr(Imm32(m_codeBlock->m_numCalleeRegisters * sizeof(Register)), callFrameRegister, regT1); 480 registerFileCheck = branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile(). 481 m_end), regT1); 480 registerFileCheck = branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().m_end), regT1); 482 481 } 483 482 -
trunk/JavaScriptCore/jit/JITOpcodes.cpp
r70703 r71280 1667 1667 int argCountDst = currentInstruction[1].u.operand; 1668 1668 int argsOffset = currentInstruction[2].u.operand; 1669 int registerOffset = currentInstruction[3].u.operand; 1670 ASSERT(argsOffset <= registerOffset); 1671 1669 1672 int expectedParams = m_codeBlock->m_numParameters - 1; 1670 1673 // Don't do inline copying if we aren't guaranteed to have a single stream … … 1696 1699 // Bounds check the registerfile 1697 1700 addPtr(regT2, regT3); 1701 addPtr(Imm32((registerOffset - argsOffset) * sizeof(Register)), regT3); 1698 1702 addSlowCase(branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().m_end), regT3)); 1699 1703 -
trunk/LayoutTests/ChangeLog
r71278 r71280 1 2010-11-03 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Gavin Barraclough. 4 5 Crash in Function.prototype.call.apply 6 https://bugs.webkit.org/show_bug.cgi?id=48485 7 8 Test for applying arguments to call at the edge of 9 the allocated region of the registerfile. 10 11 * fast/js/call-apply-crash-expected.txt: Added. 12 * fast/js/call-apply-crash.html: Added. 13 * fast/js/script-tests/call-apply-crash.js: Added. 14 (testLog): 15 1 16 2010-11-03 Dimitri Glazkov <dglazkov@chromium.org> 2 17
Note: See TracChangeset
for help on using the changeset viewer.